Citibank CitiDirect Online Banking is forcing usage of vulnerable 
version of Java Runtime Environment.


     Vulnerable product information

CitiDirect Online Banking [is a] Citibank's Web-based banking platform. 
CitiDirect puts all your corporate banking functions in one 
security-protected place, giving you around the globe, centralized 
access to your account information in real time right from your desktop.
<https://www.citidirectonline1.citidirect.citicorp.com/web/cda/home.jsp>

CitiDirect® is available in more than 90 countries and in 21 languages. 
It has more than 150,000 users within 25,000 corporate clients. [in 
2004, now probably many more]
<http://www.citigroup.com/transactionservices/home/about_us/press_room/archives/2004/2004_0203.jsp>


     Vulnerability description

CitiDirect requires Java Runtime Environment (JRE) installed on client's 
computer and Java plugin enabled in client's browser. But it requires a 
"supported version" of Java, a list of which often does not include 
latest version for months after release:
     Supported JRE Versionse
     https://citidirect-eb.citicorp.com/logon/SunVersionHelp.html
It is now over _3_ _months_ after release of Java 6 update 19, with 27 
security vulnerabilities fixed:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html
It is still "unsupported" though. And there's now update 20 released, 
which closes another vulnerability currently exploited in the wild.

Users of unsupported version of JRE are denied access to online banking 
- "The version of Sun Java™ software currently installed on your 
computer does not meet the requirements to run CitiDirect® Online Banking".


     Impact of vulnerability

Users are forced to use in a browser a version of JRE plugin, that is 
vulnerable to publicly known vulnerabilities, with publicly available 
exploits.

Also users are trained to ignore notifications from Java about new 
versions, as installing it denies them access to their money. It makes 
them vulnerable permanently.


     Vendor response

I've tried to contact Citibank at least from August 2007.

I wasn't able to find a security contact anywhere on a citigroup.com 
pages. I've tried to contact by a web form 
https://www.citibank.com/domain/contact/visitor_email/form.htm but 
haven't received a response.

So I have contacted phone support for Poland. Their responses were 
"entertaining", like:
- we use 256 bit encryption so we are very secure;
- you can use a vulnerable Java, because we will not try to break to 
your computer;
- nobody will be able to write an exploit targeting a bank in a few 
weeks before a new version of Java is tested and marked supported.


     Suggested actions for vendor

Vendor should allow latest and future versions of Java to access the 
site. It can display a warning, that this version of Java is not fully 
tested for at most a week after a new Java release.

Vendor should also display a prominent warning if it detects a 
vulnerable version of Java in client's computer urging him to upgrade. 
This way it can at least try to repair damage it did already.


     Suggested actions for clients

Change a bank, as Citibank is blatantly ignorant about security. Then 
upgrade or uninstall Java as soon as possible.


     Suggested actions for others

Do not try to compromise Citibank's clients or employees computers - 
it's not their fault that they have to use insecure Java. Pretty please.


Regards
Tomasz "Tometzky" Ostrowski
-- 
...although Eating Honey was a very good thing to do, there was a moment 
just before you began to eat it which was better than when you were...
                                                       Winnie the Pooh